One-liners: simple ASA log parsers

Sometimes you do not need a detailed log-analysis but several simple one-liners that you can adjust without too much thinking how it works, what you did last time, etc. The examples below are absolutely NOT optimal, but rather modular for easy line-editing.

1. Allowed traffic:

cat   asa.log | grep permitted | grep access-list |
sed -e 's/^.*permitted//' -e 's/hit-cnt.*$//' |
sed -e 's/([0-9][0-9]*) ->/ ->/' | less

Result:

 tcp outside/10.2.8.30 -> inside/10.1.141.23(8080)
 tcp outside/10.2.8.30 -> inside/10.1.141.23(8080)
 tcp outside/10.2.8.35 -> inside/10.1.140.137(13000)
 udp outside/10.2.8.25 -> inside/10.1.9.14(137)
 udp outside/10.2.8.25 -> inside/10.1.81.15(137)
 tcp outside/10.2.8.44 -> inside/10.1.140.137(13000)
 tcp outside/10.2.8.31 -> inside/10.1.140.149(13000)

Noticed the “permitted” strings?

2. Denied traffic:

cat   asa.log | grep denied | grep access-list |
sed -e 's/^.*denied//' -e 's/hit-cnt.*$//' |
sed -e 's/([0-9][0-9]*) ->/ ->/' | less

Result:

 tcp inside/10.1.140.159 -> outside/10.2.8.24(515)
 tcp inside/10.1.140.159 -> outside/10.2.8.24(515)
 tcp inside/10.3.241.116 -> outside/10.2.8.251(1541)
 tcp inside/10.3.241.116 -> outside/10.2.8.251(1547)
 tcp inside/10.1.140.159 -> outside/10.2.8.24(515)

3. The most popular permitted traffic:

cat   asa.log | grep permitted | grep access-list | 
sed -e 's/^.*permitted//' -e 's/hit-cnt.*$//' |
sed -e 's/([0-9][0-9]*) ->/ ->/' |
awk ' {conn[$0]++;} END { for ( i in conn ) print conn[i],"	",i;}' | sort +0nr | less

Result (the first column is the amount of corresponding log entries):

21170   tcp outside/10.2.8.40 -> inside/10.1.140.149(13000)
18023   tcp outside/10.2.8.34 -> inside/10.1.140.149(13000)
17981   tcp outside/10.2.8.31 -> inside/10.1.140.149(13000)
11034   tcp inside/10.1.140.251 -> outside/10.2.8.68(10001)
10652   tcp outside/10.2.8.43 -> inside/10.1.140.137(13000)
10628   tcp outside/10.2.8.44 -> inside/10.1.140.137(13000)
10484   tcp outside/10.2.8.47 -> inside/10.1.140.137(13000)
10437   tcp outside/10.2.8.23 -> inside/10.1.140.137(13000)
7618   tcp outside/10.2.8.25 -> inside/10.1.140.137(13000)
7550   tcp outside/10.2.8.27 -> inside/10.1.140.137(13000)
7515   tcp outside/10.2.8.49 -> inside/10.1.140.137(13000)
7496   tcp outside/10.2.8.29 -> inside/10.1.140.137(13000)
6826   tcp outside/10.2.8.30 -> inside/10.1.141.23(8080)
6011   tcp outside/10.2.8.35 -> inside/10.1.140.137(13000)
5896   tcp outside/10.2.8.40 -> inside/10.1.141.23(8080)
5809   tcp outside/10.2.8.30 -> inside/10.1.140.137(13000)

4. Modification for versions 8.2+:

cat asa.log | grep Deny | grep access-group | sed -e 's/^.*Deny//' -e 's/by.*$//' | sed -e 's/dst/ ->/' -e 's/src//' | less

You can use this method to generate a policy based on the current traffic.

Additional “greps” will allow you to filter for specific ports or IP-addresses.

Replace “permitted” with “denied” and you’ll get the “most popular denied traffic”.

What directory PHP is busy with

The file “cwd” under /proc/pid is a symbolic link to the “current working directory”:

for i in `ps -ef | awk '/php/{print $2}'`
do
ls -l /proc/${i}/cwd
done

The result is:

lrwxrwxrwx 1 alekz alekz 0 Янв 25 02:40 /proc/11544/cwd -> /home/alekz/public_html/blog/wp
lrwxrwxrwx 1 alekz alekz 0 Янв 25 02:40 /proc/11764/cwd -> /home/alekz/public_html/alekz.net
lrwxrwxrwx 1 alekz alekz 0 Янв 25 02:40 /proc/12574/cwd -> /home/alekz/public_html/alekz.net
lrwxrwxrwx 1 alekz alekz 0 Янв 25 02:40 /proc/13081/cwd -> /home/alekz/public_html/alekz.net
lrwxrwxrwx 1 alekz alekz 0 Янв 25 02:45 /proc/15053/cwd -> /home/alekz/public_html/blog/wp
lrwxrwxrwx 1 alekz alekz 0 Янв 25 02:45 /proc/15056/cwd -> /home/alekz/public_html/blog/wp
lrwxrwxrwx 1 alekz alekz 0 Янв 25 02:49 /proc/15696/cwd -> /home/alekz/public_html/blog/wp/wp-content/plugins/si-captcha-for-wordpress/captcha-secureimage

Of course, you can use any other process name instead of php.

And here’s a “dynamic” version:

while true
do
clear
for i in `ps -ef | awk '/php/{print $2}'`
do
ls -l /proc/${i}/cwd
done
sleep 5
done

dcpumon and dcpumonview

Found another cPanel application which you can safely turn off in order to safe some bytes and cycles.

By default dcpumon runs every 5 min to log CPU usage (“top” output) :

# crontab -l | fgrep cpu
*/5 * * * * /usr/local/cpanel/bin/dcpumon >/dev/null 2>&1
#

and stores the data into /var/log/dcpumon

You can view the report with dcpumonview command:

# /usr/local/cpanel/bin/dcpumonview
———————————————————–
|User |Domain |CPU%|MEM%|MySQL#|
———————————————————–
|alekz |alekz.net |17.72|37.07|0.3 |
| Top Process | 27.8 | /usr/bin/php |
| Top Process | 14.2 | /usr/bin/php |
| Top Process | 12.3 | /usr/bin/php |
|mysql | |11.47|3.05|0.0 |
| Top Process | 11.7 | /usr/sbin/mysqld –basedir/ –datadir/var/lib/mysql –usermysql –pid-file/var/lib/mysql/alekz.pid –skip-external-locking |

Firefox and places.sqlite tricks

Sometimes you need to remotely get your bookmarks, history or check the top-10 sites, etc. Here’s some neat tricks to get the info from the Firefox Places file called places.sqlite, which is an SQLite database with the following tables (see also the picture):
Continue reading “Firefox and places.sqlite tricks”

MAC for UNIX

MAC (Monkey’s Audio Converter) for Windows can be downloaded from http://www.monkeysaudio.com. But what about a UNIX version? Two years ago v3.99 Update 4 Build 5 was released but then the development stopped because of some contradictory licensing reasons. That means that MAC for UNIX is not maintained anymore. Fortunately, the old version still works. I compiled it under Solaris 11 x86 and use it for SqueezeCenter.

The source tar file is attached to the post: mac-399-u4-b5.tgz (MD5)

Some notes.

  • To check the MD5 digest:
    % md5sum -c mac-3.99-u4-b5.tgz.md5
    mac-3.99-u4-b5.tgz: OK
  • Always use –prefix=/usr/local (or any other directory in which you keep non-standard files) configuration parameter, because by default the prefix is set to /usr. You might overwrite Solaris file /usr/bin/mac (message authentication code):
    % ./configure –prefix=/usr/local
  • If you are going to use –enable-assembly=yes option (you need yasm to compile assembler code) under Solaris change “sh” to “bash” in src/MACLib/Assembly/Makefile in the following line (line 214 in my case):
    STRIP_FPIC = sh $(top_srcdir)/strip_fPIC.sh

    This is what the line should look like:

    STRIP_FPIC = bash $(top_srcdir)/strip_fPIC.sh
  • There is already a program /bin/mac (see above). If you don’t want to use the full path to the MAC, simply rename the latter:
    # mv /usr/local/bin/mac /usr/local/bin/MAC